MARCO TEÓRICO CIENTÍFICO
2.1. Antecedentes del estudio
40 Freedom of information
There is a strong public interest in members of the public being able to find out easily why data is being shared, which organisations are involved and what standards and safeguards are in place. Making your policies and procedures available to the public proactively should help to reassure individuals and to establish an increased level of trust and confidence in your organisation’s data sharing practices. You should consider including details of data sharing with other public authorities within the policies and procedures that you publish in accordance with your publication scheme.
There will often be cases where data is shared with other public authorities. This will usually mean that the data is held for the purposes of the FOIA by all the data sharing partners and an FOI request could be made to any of the public authorities that hold the information. However, within the FOIA there is an exemption for the personal data of third parties that falls within the scope of a request. In many cases this exemption will apply as disclosure is likely to be unfair and so be in breach of the first data protection principle. Often people will make requests for information that cover both personal and non-personal data. For example, a person may request data about them that is being shared between various agencies and information about those agencies’ policies for sharing information. Data protection and freedom of information may be dealt with by separate parts of your organisation, and a hybrid request may have to be dealt with under both pieces of legislation. However, it is good practice to be as helpful as possible when dealing with requests of this sort, especially as members of the public may not understand the difference between a data protection and an FOI request. There may be circumstances where a private or third sector organisation shares data with a public authority. It is therefore important that, in such cases, individuals are made aware that information they provide will also be held by an organisation that is subject to the FOIA and so may fall within the scope of a request for information made to the public authority. However, as mentioned previously, there is an exemption within the FOIA for the personal data of third parties to which a request for information relates. In many cases this exemption will apply as disclosure is likely to be unfair and so be in breach of the principle that personal data must be processed fairly and lawfully.
Data sharing agreements 41
Data sharing agreements can take a variety of forms, depending on the scale and complexity of the data sharing in question. You should remember that a data sharing agreement is a set of common rules binding on all the organisations involved in a data sharing initiative. This means that the agreement should be drafted in clear, concise language that is easily understood.
Drafting and adhering to an agreement does not in itself provide any form of legal indemnity from action under the Data Protection Act (DPA) or other law. However, an agreement should help you to justify your data sharing and to demonstrate that you have been mindful of, and have documented, the relevant compliance issues. The ICO will take this into account should it receive a complaint about your data sharing.
In order to adopt good practice and to comply with the DPA, the ICO would expect a data sharing agreement to address the following issues:
Purpose of the data sharing initiative:
Your agreement should explain why the data sharing initiative is necessary, the specific aims you have and the benefits you hope to bring to individuals or to society more widely. This should be documented in precise terms so that all parties are absolutely clear as to the purposes for which data may be shared and shared data may be used.
The organisations that will be involved in the data sharing:
Your agreement should identify clearly all the organisations that will be involved in the data sharing and should include contact details for their key members of staff. It should also contain procedures for including additional organisations in the data sharing arrangement and for dealing with cases where an organisation needs to be excluded from the sharing.
Data items to be shared:
Your agreement should explain the types of data that you are intending to share with the organisations stated above. This may need to be quite detailed, because in some cases it will be appropriate to share certain details held in a file about someone, but not other, more sensitive, material. In some cases it may be appropriate to attach ‘permissions’ to certain data items, so that only certain members of staff, for example ones that have received appropriate training, are allowed to access them.